Seems to be something that I did to make it not work. I've got it going now. So, this is great and everything, but is there any way to define what AD groups will automatically have Admin access when logging in or is that a function of their paid product?

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

paid product i think.

in fact, i'm a little stumped how you got a mobile account working too. that is also supposed to be a part of the paid product from what i understand.

but i've just started looking into this. not a centrify guru by any stretch

Jeffrey Compton

Lead I.S. Engineer | Mac Security | The MITRE Corporation | Office: 703-983-3163

I manually converted it.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Holy crap. How long has this been out there??? I'll be testing this with Lion TO-DAY.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

I just noticed it today. I tested it out and it seemed to have worked! Having SMB issues but hey this is a start!

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Yeah I just bound a 10.7 GM install to the domain with it. Works! Now to test the offline/caching that I really need.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

centrify express has been around awhile. if it works for you over the built in stuff, go for it.

Out of interest, did your AD pass the ad check?

Regards,

Ben.

It did. I only had one error with SSH.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

WOOOO OFFLINE LOGINS, KERBEROS TICKETS.... whole shootin' match.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

I had weird SMB issues hows SMB working?

Actually, I can't connect to anything SMB now. Neither hostname or IP work. AFP is ok though.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Scratch that... it's just extremely slow.
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

I have everything working perfectly now. I did a clean install of 10.7, installed the Centrify Plugin, Bound to AD, restarted and BAM! Kerberized deliciousness!!!

Looks like we have a winner winner!

Any connectivity with SMB issues? I'm dead slow over here.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Nope just transferred a few gigs of files setting up my profile and had no issues at all.

The one thing I did notice was that it defaulted me to a Network Account and not a Mobile Account. I had to go and concert the account manually.

Yeah I did notice it said "network" however offline logins worked ok for me. Wonder if the network vs. mobile account has anything to do with the smb issue.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

It might, try converting the account to a mobile account.

Using Centrify's account migration tool, I assume?

Jeffrey Compton

Lead I.S. Engineer | Mac Security | The MITRE Corporation | Office: 703-983-3163

No I went into System Preferences and Click Mobile Account.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

I found that Centrify Express is missing something we need: determining Admin rights for specific AD groups. That's something left to their paid products called "zones" apparently. So close, yet so far :)

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Why not script this via Casper anyways? As the groups in AD only work when online & not offline.

Regards,

Ben.

OK - a lot of confusion on this, mostly because built-in AD plugin and Centrify Express handle things very differently.

First off, the out-of-the-box Centrify Express install does indeed work for offline logins. I don't know what happened with my first install, but it probably was related to the fact that I was trying all kinds of crazy things with built-in AD plugin before trying CE. I re-imaged 10.7, installed CE, and all was OK. I could login off-line, on-line, kerberos kosher, etc. Overall, works much better than the 10.7.0 AD plugin, although the initial network login is quite slow. But we are testing 10.7.2 developer seed right now. Will report on that later.

A "mobile account" is actually an account copied from the AD to local directory services.

With CE, somehow they are caching network credentials without actually creating that mobile account. Like you posted, Mathew, you can indeed go to Sys Prefs, authenticate as a local admin, and then create the mobile account manually. But with the built-in AD plugin, you can set that globally to create the mobile account at login. Would love to know if you could do that with CE.

Jeffrey Compton

Lead I.S. Engineer | Mac Security | The MITRE Corporation | Office: 703-983-3163

I need to play with it more. All I know is I am finally able to bind to AD! I do get a yellow dot though.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

The issue with that is that you'd have to enumerate the groups to see what individual accounts are in the AD group and then add those individual accounts to the admin group. That's not a game I want to be in. I want to add an AD group to the Admin group and be done with it. It's how it's supposed to work anyway.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436